Paranoid Penguin - Building a Secure Squid Web Proxy, Part IV

The last thing you need to do is reconfigure Squid to use squidGuard as
a redirector and tell it how many redirector processes to keep running.
The location of your squidGuard binary is highly distribution-specific; to
be sure, you can find it like this:

bash-$ which squidGuard
/usr/bin/squidGuard

As for the number of redirector processes, you want a good balance of
system resource usage and squidGuard performance. Starting a lot of
redirectors consumes resources but maximizes squidGuard performance,
whereas starting only a couple conserves resources by sacrificing
squidGuard performance. Ubuntu's default of 5 is a reasonable middle
ground.

The squid.conf parameters for both of these settings (redirector location
and number of processes) are different depending on with which version of Squid
you're using squidGuard. For Squid versions 2.5 and earlier, they're
redirect_program and redirect_children. For Squid versions 2.6 and
later, they're url_rewrite_program and url_rewrite_program.

For example, on my Ubuntu 9.04 system, which runs Squid version 2.7, I used
a text editor (run via sudo) to add the following two lines to
/etc/squid/squid.conf:

url_rewrite_program /usr/bin/squidGuard
url_rewrite_children 5

As with any other time you edit /etc/squid/squid.conf, it's probably a good
idea to add custom configuration lines before or after their corresponding
comment blocks. squid.conf, you may recall, is essentially
self-documented—it contains many lines of example settings and descriptions of them, all
in the form of comments (lines beginning with #). Keeping your
customizations near their corresponding examples/defaults/comments both
minimizes the chance you'll define the same parameter in two different
places, and, of course, it gives you easy access to information about the things
you're changing.

By the way, I'm assuming Squid itself already is installed,
configured and working the way you want it to (beyond blacklisting). If
you haven't gotten that far before installing squidGuard, please refer to my
previous three columns (see Resources).

Before those changes take effect, you need to restart Squid. On
most Linux systems, you can use this command (omitting the sudo if you're
already in a root shell):

bash-$ /etc/init.d/squid reload

If you get no error messages, and if when you do a ps -axuw
|grep squid
you see not only a couple Squid processes, but also five squidGuard
processes, then congratulations! You've now got a working installation of
squidGuard.

But is it actually doing what you want it to do? Given the filters we just put
in place, the quickest way to tell is, on some client configured to use your Squid
proxy, to point a browser to http://www.gotomypc.com (a site in the
remotecontrol blacklist). If everything's working correctly, your browser
will not pull up gotomypc, but rather Google. squidGuard is
passive-aggressively encouraging you to surf to a safer site!

Conclusion

squidGuard isn't the only Squid add-on of interest to the security-conscious. squidtaild and squidview, for example, are two different programs for
monitoring and creating reports from Squid logs (both of them are available
in Ubuntu's universe repository). I leave it to you though
to take your Squid server to the next level.

This concludes my introductory series on building a secure Web proxy with
Squid. I hope you're off to a good, safe start!

Mick Bauer (darth.elmo@wiremonkeys.org) is Network
Security
Architect for one of the US's largest banks. He is the author of
the O'Reilly book Linux Server Security, 2nd edition
(formerly called
Building Secure Servers With Linux), an occasional
presenter at
information security conferences and composer of the “Network
Engineering Polka”.

Squid has been working fine for several days, I have a fairly complex set of acls and http_access rules because I am trying to dole out computer time to my kids during the holidays. I am also trying to stop access to certain sites during my "peak time" allocated by my ISP. After working through the obvious errors that a relative newb introduces without meaning to, it is stable, and predictable in behaviour and performance. Suffice to say that I have stripped the squid.conf of unneccesary clutter (comments and unused settings) and have added some structure to it that makes sense to me when going in to tweak it. I do have the original file in two places for referencing when I get into trouble, so can always reinstall and add my tweaks if needed.

Next step was to add squidguard for a deeper level of filtering...

So, I have assiduously followed the instructions here even to the point of copying the errors which reveal themselves on re-reading, e.g. "bash-$ /etc/init.d/squid reload" is missing sudo at the start of the line (it is dereferenced in the preceeding paragraph. After correcting the obvious errors

However, the moment I reload squid or restart squid it fails to load

I actually rebuilt a server because this happened the first time (over a week ago now) thinking that I had damaged some system files (of course I hadn't , but it was worth the practice of installing a new version of the server anyway)

So what can I be doing wrong? The only thing that makes sense is that I am adding the squidguard lines in the wrong place, but after having reviewed the original squid.conf my original placement was correct. So, are there any hidden traps for beginners that aren't mentioned in the article.

I had used parantheses () instead of curly braces {}, which with my eyesight the way it is these days (even with my computer prescription glasses) are so similar to a glance rather than a close inspection, that it totally slipped on by

Caught by the worst of the gotchas for newbs who aren't new to programming (hangs head in shame)

Ah, well, at least if anyone else runs across this there is a solution already (I'd gone looking for the matching braces problem and found the bigger one)